cloudkitty/devstack/plugin.sh
Jeremy Liu 7eca672645 Policy in code
This patch introduces the implementation for registering
default policy rules in code. Default rules are defined under
cloudkitty.common.policies. Each API's policies are defined in a
sub-folder under that path and __init__.py contains all the
default policies in code which are registered in the ``init``
enforcer function in cloudkitty/common/policy.py.

This commit does the following:
 - Creates the ``policies`` module that contains all the default
   policies in code.
 - Adds the base policy rules into code (context_is_admin,
   admin_or_owner and default rules).
 - Add policies in code for current APIs
 - Add a tox env to generate default policy sample file
 - Delete policy.json from repo as policies in code will be used.

Change-Id: I257e8cefc2b699fc979c717531cd9ba77233d94b
Implements: blueprint policy-in-code
2017-12-08 16:45:13 +00:00

356 lines
12 KiB
Bash
Executable File

# CloudKitty devstack plugin
# Install and start **CloudKitty** service
# To enable a minimal set of CloudKitty services:
# - enable Ceilometer ;
# - add the following to the [[local|localrc]] section in the local.conf file:
#
# enable_service ck-api ck-proc
#
# Dependencies:
# - functions
# - OS_AUTH_URL for auth in api
# - DEST, DATA_DIR set to the destination directory
# - SERVICE_PASSWORD, SERVICE_TENANT_NAME for auth in api
# - IDENTITY_API_VERSION for the version of Keystone
# - STACK_USER service user
# - HORIZON_DIR for horizon integration
# stack.sh
# ---------
# install_cloudkitty
# configure_cloudkitty
# init_cloudkitty
# start_cloudkitty
# stop_cloudkitty
# cleanup_cloudkitty
# install_python_cloudkittyclient
# Save trace setting
XTRACE=$(set +o | grep xtrace)
set +o xtrace
# Support potential entry-points console scripts
if [[ -d $CLOUDKITTY_DIR/bin ]]; then
CLOUDKITTY_BIN_DIR=$CLOUDKITTY_DIR/bin
else
CLOUDKITTY_BIN_DIR=$(get_python_exec_prefix)
fi
# Functions
# ---------
# create_cloudkitty_accounts() - Set up common required cloudkitty accounts
# Tenant User Roles
# ------------------------------------------------------------------
# service cloudkitty admin # if enabled
function create_cloudkitty_accounts {
create_service_user "cloudkitty"
local cloudkitty_service=$(get_or_create_service "cloudkitty" \
"rating" "OpenStack Rating")
get_or_create_endpoint $cloudkitty_service \
"$REGION_NAME" \
"$CLOUDKITTY_SERVICE_PROTOCOL://$CLOUDKITTY_SERVICE_HOSTPORT/" \
"$CLOUDKITTY_SERVICE_PROTOCOL://$CLOUDKITTY_SERVICE_HOSTPORT/" \
"$CLOUDKITTY_SERVICE_PROTOCOL://$CLOUDKITTY_SERVICE_HOSTPORT/"
# Create the rating role
get_or_create_role "rating"
# Make cloudkitty an admin
get_or_add_user_project_role admin cloudkitty service
# Make CloudKitty monitor demo project for rating purposes
get_or_add_user_project_role rating cloudkitty demo
}
# Test if any CloudKitty services are enabled
# is_cloudkitty_enabled
function is_cloudkitty_enabled {
[[ ,${ENABLED_SERVICES} =~ ,"ck-" ]] && return 0
return 1
}
# Remove WSGI files, disable and remove Apache vhost file
function _cloudkitty_cleanup_apache_wsgi {
if is_service_enabled ck-api && [ "$CLOUDKITTY_USE_MOD_WSGI" == "True" ]; then
sudo rm -f "$CLOUDKITTY_WSGI_DIR"/*
sudo rm -rf "$CLOUDKITTY_WSGI_DIR"
sudo rm -f $(apache_site_config_for cloudkitty)
fi
}
# cleanup_cloudkitty() - Remove residual data files, anything left over from previous
# runs that a clean run would need to clean up
function cleanup_cloudkitty {
_cloudkitty_cleanup_apache_wsgi
# Clean up dirs
rm -rf $CLOUDKITTY_AUTH_CACHE_DIR/*
rm -rf $CLOUDKITTY_CONF_DIR/*
rm -rf $CLOUDKITTY_OUTPUT_BASEPATH/*
for i in $(find $CLOUDKITTY_ENABLED_DIR -iname '_[0-9]*.py' -printf '%f\n'); do
rm -f "${CLOUDKITTY_HORIZON_ENABLED_DIR}/$i"
done
}
# Configure mod_wsgi
function _cloudkitty_config_apache_wsgi {
sudo mkdir -m 755 -p $CLOUDKITTY_WSGI_DIR
local cloudkitty_apache_conf=$(apache_site_config_for cloudkitty)
local venv_path=""
# Copy proxy vhost and wsgi file
sudo cp $CLOUDKITTY_DIR/cloudkitty/api/app.wsgi $CLOUDKITTY_WSGI_DIR/app.wsgi
if [[ ${USE_VENV} = True ]]; then
venv_path="python-path=${PROJECT_VENV["cloudkitty"]}/lib/$(python_version)/site-packages"
fi
sudo cp $CLOUDKITTY_DIR/devstack/apache-cloudkitty.template $cloudkitty_apache_conf
sudo sed -e "
s|%PORT%|$CLOUDKITTY_SERVICE_PORT|g;
s|%APACHE_NAME%|$APACHE_NAME|g;
s|%WSGIAPP%|$CLOUDKITTY_WSGI_DIR/app.wsgi|g;
s|%USER%|$STACK_USER|g;
s|%VIRTUALENV%|$venv_path|g
" -i $cloudkitty_apache_conf
}
# configure_cloudkitty() - Set config files, create data dirs, etc
function configure_cloudkitty {
setup_develop $CLOUDKITTY_DIR
sudo mkdir -m 755 -p $CLOUDKITTY_CONF_DIR
sudo chown $STACK_USER $CLOUDKITTY_CONF_DIR
sudo mkdir -m 755 -p $CLOUDKITTY_API_LOG_DIR
sudo chown $STACK_USER $CLOUDKITTY_API_LOG_DIR
touch $CLOUDKITTY_CONF
# generate policy sample file
oslopolicy-sample-generator --config-file $CLOUDKITTY_DIR/etc/oslo-policy-generator/cloudkitty.conf --output-file $CLOUDKITTY_DIR/etc/cloudkitty/policy.yaml.sample
cp $CLOUDKITTY_DIR/etc/cloudkitty/policy.yaml.sample "$CLOUDKITTY_CONF_DIR/policy.yaml"
iniset $CLOUDKITTY_CONF oslo_policy policy_file 'policy.yaml'
cp $CLOUDKITTY_DIR$CLOUDKITTY_CONF_DIR/api_paste.ini $CLOUDKITTY_CONF_DIR
cp $CLOUDKITTY_DIR$CLOUDKITTY_CONF_DIR/metrics.yml $CLOUDKITTY_CONF_DIR
iniset_rpc_backend cloudkitty $CLOUDKITTY_CONF DEFAULT
iniset $CLOUDKITTY_CONF DEFAULT notification_topics 'notifications'
iniset $CLOUDKITTY_CONF DEFAULT debug "$ENABLE_DEBUG_LOG_LEVEL"
iniset $CLOUDKITTY_CONF DEFAULT auth_strategy $CLOUDKITTY_AUTH_STRATEGY
# auth
iniset $CLOUDKITTY_CONF authinfos auth_type v3password
iniset $CLOUDKITTY_CONF authinfos auth_protocol http
iniset $CLOUDKITTY_CONF authinfos auth_url "$KEYSTONE_SERVICE_URI/v3"
iniset $CLOUDKITTY_CONF authinfos identity_uri "$KEYSTONE_SERVICE_URI/v3"
iniset $CLOUDKITTY_CONF authinfos username cloudkitty
iniset $CLOUDKITTY_CONF authinfos password $SERVICE_PASSWORD
iniset $CLOUDKITTY_CONF authinfos project_name $SERVICE_TENANT_NAME
iniset $CLOUDKITTY_CONF authinfos tenant_name $SERVICE_TENANT_NAME
iniset $CLOUDKITTY_CONF authinfos region_name $REGION_NAME
iniset $CLOUDKITTY_CONF authinfos user_domain_name default
iniset $CLOUDKITTY_CONF authinfos project_domain_name default
iniset $CLOUDKITTY_CONF authinfos debug "$ENABLE_DEBUG_LOG_LEVEL"
iniset $CLOUDKITTY_CONF keystone_fetcher auth_section authinfos
iniset $CLOUDKITTY_CONF keystone_fetcher keystone_version 3
# collect
iniset $CLOUDKITTY_CONF collect collector $CLOUDKITTY_COLLECTOR
iniset $CLOUDKITTY_CONF ${CLOUDKITTY_COLLECTOR}_collector auth_section authinfos
iniset $CLOUDKITTY_CONF collect services $CLOUDKITTY_SERVICES
iniset $CLOUDKITTY_CONF collect metrics_conf $CLOUDKITTY_CONF_DIR/$CLOUDKITTY_METRICS_CONF
# output
iniset $CLOUDKITTY_CONF output backend $CLOUDKITTY_OUTPUT_BACKEND
iniset $CLOUDKITTY_CONF output basepath $CLOUDKITTY_OUTPUT_BASEPATH
iniset $CLOUDKITTY_CONF output pipeline $CLOUDKITTY_OUTPUT_PIPELINE
# database
local dburl=`database_connection_url cloudkitty`
iniset $CLOUDKITTY_CONF database connection $dburl
# keystone middleware
configure_auth_token_middleware $CLOUDKITTY_CONF cloudkitty $CLOUDKITTY_AUTH_CACHE_DIR
if is_service_enabled ck-api && [ "$CLOUDKITTY_USE_MOD_WSGI" == "True" ]; then
_cloudkitty_config_apache_wsgi
fi
}
# create_cloudkitty_cache_dir() - Part of the init_cloudkitty() process
function create_cloudkitty_cache_dir {
# Create cache dir
sudo mkdir -p $CLOUDKITTY_AUTH_CACHE_DIR/api
sudo chown $STACK_USER $CLOUDKITTY_AUTH_CACHE_DIR/api
rm -f $CLOUDKITTY_AUTH_CACHE_DIR/api/*
sudo mkdir -p $CLOUDKITTY_AUTH_CACHE_DIR/registry
sudo chown $STACK_USER $CLOUDKITTY_AUTH_CACHE_DIR/registry
rm -f $CLOUDKITTY_AUTH_CACHE_DIR/registry/*
}
# create_cloudkitty_data_dir() - Part of the init_cloudkitty() process
function create_cloudkitty_data_dir {
# Create data dir
sudo mkdir -p $CLOUDKITTY_DATA_DIR
sudo chown $STACK_USER $CLOUDKITTY_DATA_DIR
rm -rf $CLOUDKITTY_DATA_DIR/*
# Create locks dir
sudo mkdir -p $CLOUDKITTY_DATA_DIR/locks
sudo chown $STACK_USER $CLOUDKITTY_DATA_DIR/locks
}
# init_cloudkitty() - Initialize CloudKitty database
function init_cloudkitty {
# Delete existing cache
sudo rm -rf $CLOUDKITTY_AUTH_CACHE_DIR
sudo mkdir -p $CLOUDKITTY_AUTH_CACHE_DIR
sudo chown $STACK_USER $CLOUDKITTY_AUTH_CACHE_DIR
# Delete existing cache
sudo rm -rf $CLOUDKITTY_OUTPUT_BASEPATH
sudo mkdir -p $CLOUDKITTY_OUTPUT_BASEPATH
sudo chown $STACK_USER $CLOUDKITTY_OUTPUT_BASEPATH
# (Re)create cloudkitty database
recreate_database cloudkitty utf8
# Migrate cloudkitty database
$CLOUDKITTY_BIN_DIR/cloudkitty-dbsync upgrade
# Init the storage backend
$CLOUDKITTY_BIN_DIR/cloudkitty-storage-init
create_cloudkitty_cache_dir
create_cloudkitty_data_dir
}
# install_cloudkitty() - Collect source and prepare
function install_cloudkitty {
git_clone $CLOUDKITTY_REPO $CLOUDKITTY_DIR $CLOUDKITTY_BRANCH
setup_develop $CLOUDKITTY_DIR
}
# start_cloudkitty() - Start running processes, including screen
function start_cloudkitty {
run_process ck-proc "$CLOUDKITTY_BIN_DIR/cloudkitty-processor --config-file=$CLOUDKITTY_CONF"
if [[ "$CLOUDKITTY_USE_MOD_WSGI" == "False" ]]; then
run_process ck-api "$CLOUDKITTY_BIN_DIR/cloudkitty-api --config-file=$CLOUDKITTY_CONF"
elif is_service_enabled ck-api; then
enable_apache_site cloudkitty
echo_summary "Waiting 15s for cloudkitty-processor to authenticate against keystone before apache is restarted."
sleep 15s
restart_apache_server
tail_log cloudkitty /var/log/$APACHE_NAME/cloudkitty.log
tail_log cloudkitty-api /var/log/$APACHE_NAME/cloudkitty_access.log
fi
echo "Waiting for ck-api ($CLOUDKITTY_SERVICE_HOST:$CLOUDKITTY_SERVICE_PORT) to start..."
if ! wait_for_service $SERVICE_TIMEOUT $CLOUDKITTY_SERVICE_PROTOCOL://$CLOUDKITTY_SERVICE_HOST:$CLOUDKITTY_SERVICE_PORT; then
die $LINENO "ck-api did not start"
fi
}
# stop_cloudkitty() - Stop running processes
function stop_cloudkitty {
# Kill the cloudkitty screen windows
if is_service_enabled ck-proc ; then
stop_process ck-proc
fi
if is_service_enabled ck-api ; then
if [ "$CLOUDKITTY_USE_MOD_WSGI" == "True" ]; then
disable_apache_site cloudkitty
restart_apache_server
else
# Kill the cloudkitty screen windows
stop_process ck-api
fi
fi
}
# install_python_cloudkittyclient() - Collect source and prepare
function install_python_cloudkittyclient {
# Install from git since we don't have a release (yet)
git_clone_by_name "python-cloudkittyclient"
setup_dev_lib "python-cloudkittyclient"
}
# install_cloudkitty_dashboard() - Collect source and prepare
function install_cloudkitty_dashboard {
# Install from git since we don't have a release (yet)
git_clone_by_name "cloudkitty-dashboard"
setup_dev_lib "cloudkitty-dashboard"
}
# update_horizon_static() - Update Horizon static files with CloudKitty's one
function update_horizon_static {
# Code taken from Horizon lib
# Setup alias for django-admin which could be different depending on distro
local django_admin
if type -p django-admin > /dev/null; then
django_admin=django-admin
else
django_admin=django-admin.py
fi
DJANGO_SETTINGS_MODULE=openstack_dashboard.settings \
$django_admin collectstatic --noinput
DJANGO_SETTINGS_MODULE=openstack_dashboard.settings \
$django_admin compress --force
restart_apache_server
}
# configure_cloudkitty_dashboard() - Set config files, create data dirs, etc
function configure_cloudkitty_dashboard {
sudo ln -s $CLOUDKITTY_ENABLED_DIR/_[0-9]*.py \
$CLOUDKITTY_HORIZON_ENABLED_DIR/
update_horizon_static
}
if is_service_enabled ck-api; then
if [[ "$1" == "stack" && "$2" == "install" ]]; then
echo_summary "Installing CloudKitty"
install_cloudkitty
install_python_cloudkittyclient
if is_service_enabled horizon; then
install_cloudkitty_dashboard
fi
cleanup_cloudkitty
elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
echo_summary "Configuring CloudKitty"
configure_cloudkitty
if is_service_enabled horizon; then
configure_cloudkitty_dashboard
fi
if is_service_enabled key; then
create_cloudkitty_accounts
fi
elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
# Initialize cloudkitty
echo_summary "Initializing CloudKitty"
init_cloudkitty
# Start the CloudKitty API and CloudKitty processor components
echo_summary "Starting CloudKitty"
start_cloudkitty
fi
if [[ "$1" == "unstack" ]]; then
stop_cloudkitty
fi
fi
# Restore xtrace
$XTRACE
# Local variables:
# mode: shell-script
# End: